Bienvenido! - Willkommen! - Welcome!

Tuesday, June 19, 2012

The Spamhaus Project

(Excerpt)The Spamhaus Projectis an international organisation (founded bySteve Linfordin 1998) to tracke-mail spammersand spam-related activity. It is named for the anti-spam jargon term coined by Linford,spamhaus, a pseudo-Germanexpression for anISPor other firm which spams or willingly provides service to spammers.

® Registered Trademark of The Spamhaus Project Ltd. Used under permission from Spamhaus Press Area.

Spamhaus DNSBLs and DNSWLs

Spamhaus is responsible for a number of very widely used anti-spam DNS-based Blocklists (DNSBLs) and Whitelists (DNSWLs). Many internet service providers and Internet networks use these services to reduce the amount of spam they take on. The Spamhaus lists collectively protect over 1.4 billion e-mail users, according to Spamhaus' web page (June 2008) and are estimated to block 80 billion spam emails per day globally on the internet (almost 1 million spams per second). Like all DNSBLs, their use is considered controversial by some.

The Spamhaus Block List (SBL)[1] targets "verified spam sources (including spammers, spam gangs and spam support services)." Its goal is to list IP addresses belonging to known spammers, spam operations, and spam-support services[2] The SBL's listings are partially based on the ROKSO index of "spam gangs", for which see below.

The Exploits Block List (XBL)[3] targets "illegal 3rd party exploits, including open proxies, worms/viruses with built-in spam engines, and other types of trojan-horse exploits." That is to say, like several other DNSBLs it is a list of known open proxies and exploited computers being used to send spam and viruses. The XBL includes listings gathered by Spamhaus as well as by two contributing DNSBL operations — the Composite Blocking List(CBL) and the Not Just Another Bogus List (NJABL) lists.

The Policy Block List (PBL)[4] is a list that serves many of the same functions of a Dialup Users List, but really it is not a DUL. The PBL lists not only dynamic and DHCP type IP address space designated as 'not allowed to make direct SMTP connections', but static assignments that shouldn't be sending email without prior arrangement. Examples of such are an ISP's core routers, corporate users required by policy to send via their internal mail server, and unassigned IP addresses. Much of the data is provided to Spamhaus by the organizers (ISPs) of the IP address space.

The Domain Block List (DBL)[5] was released in March 2010 and is a list of domain names, which is both a domain URI Blocklist and RHSBL. It lists spam domains including spam payload URLs, spam sources and senders ("right-hand side"), known spammers and spam gangs, and phish, virus and malware-related sites.

The Spamhaus White List (SWL)[6] was released in October 2010 and is a whitelist of IPv4 and IPv6 addresses. The SWL is intended to allow mail servers to separate incoming email traffic into 3 categories: Good, Bad and Unknown. Only verified legitimate senders with clean reputations are approved for whitelisting and there are strict terms to keeping a Spamhaus Whitelist account.

The Domain White List (DWL)[6] was released in October 2010 and is a whitelist of domain names. The DWL enables automatic certification of domains with DKIM signatures. Only verified legitimate senders with clean reputations are approved for whitelisting and there are strict terms to keeping a whitelist account.

Spamhaus's DNSBLs and DNSWLs are offered as a free public service to low-volume mail server operators on the Internet.[7] Commercial spam filtering services and other large sites doing large numbers of queries must instead sign up for an rsync-based feed of these DNSBLs, which Spamhaus calls its Datafeed Service,[8] at a moderate fee as long as they are not in Spamhaus's top ten worst spam service ISPs list.[9]

Spamhaus also provides two combined DNSBLs. One is the SBL+XBL[10] which allows users to query sbl-xbl.spamhaus.org once and get return codes from both lists. A newer combination is called ZEN[11] (named after founder Linford's dog), which allows users to query zen.spamhaus.org once and get return codes from the SBL+XBL and the newer PBL.

Spamhaus outlines the way its DNSBL technology works in a document called Understanding DNSBL Filtering.[12]

Register of Known Spam Operations

The Spamhaus Register of Known Spam Operations (ROKSO)[13] is a database of "hard-core spam gangs" -- spammers and spam operations who have been terminated from three or more ISPs due to spamming. The ROKSO list is not a DNSBL; it is, rather, a directory of publicly-sourced information about these persons and their business and at times criminal activities.

The ROKSO database is nowadays part of the signup checking procedure of many of the major ISPs, ensuring that ROKSO-listed spammers find it difficult to get hosting. A listing on ROKSO also means that all IP addresses associated with the spammer (his other domains, sites, servers, etc.) get listed on the Spamhaus SBL as "under the control of a ROKSO-listed spammer" whether there is spam coming from them or not (as a preventative measure).

There is a special version of ROKSO available to Law Enforcement Agencies (for which LEAs need to apply for access) which gives access to data on hundreds of spam gangs, with evidence, logs and information on illegal activities of these gangs, too sensitive to publish in the public part of ROKSO.

Don't Route Or Peer List

The Spamhaus Don't Route Or Peer (DROP) List[14] is a text file delineating so-called "zombie" (stolen) CIDR blocks and netblocks which are "totally controlled by spammers or 100% spam hosting operations", as shown by SBL listings, with the numbers of the underlying listings as comments. It is intended not to include netblocks registered to ISPs and sublet to spammers, but only those blocks wholly used by spammers. It is intended to be incorporated in firewalls and routing equipment to block network traffic from and to those blocks.

Spamhaus Companies

The Spamhaus 'Group' (although there is no group identity) consists of a number of independent companies which focus on different aspects of Spamhaus anti-spam technology or provide services based around it. At the core is The Spamhaus Project Ltd., a UK-registered non-profit which tracks spam sources and publishes free DNSBLs. Further 'Spamhaus' companies include Spamhaus Logistics Corp.,[15] a Seychelles-registered corporation which owns the large server infrastructure used by Spamhaus and employs engineering staff to maintain it. Spamhaus Technology Ltd.,[16] a UK-registered commercial 'data delivery' company which "manages data distribution and synchronization services". Spamhaus Research Corp., a company which "develops anti-spam technologies". The Spamhaus Whitelist Co. Ltd.,[17] a Jersey-registered company which manages the Spamhaus Whitelist. Also there are several references on the Spamhaus website to The Spamhaus Foundation,[18] a private interest foundation (believed to be a Liechtenstein Foundation) whose charter is "to assure the long-term security of The Spamhaus Project and its work".